IT Gets a Summer Vacation with Light Patch Load for June

It’s a record month for Microsoft this month. With just five bulletins, June marks the lowest number of bulletins we’ve seen from Microsoft to date this year, making it a light month for IT admins. It’s also the halfway point for the year, which is always a good time to look back at last year and compare. With 50 total bulletins for the year, Microsoft has issued a total of 8 more bulletins this year than at the same time last year. Interestingly, the company has issued exactly the same number of critical bulletins so far this year at 16. That means the balance is made up of important bulletins, which are the type of bulletins we prefer to see.

This month, your top priority is the single critical vulnerability, MS13-047, which is a cumulative update for all versions of IE. This bulletin accounts for the bulk of the CVEs being fixed this month – 19 of 23. Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system. An attacker could not get in without some user participation. Many of the successful hacks we’ve seen lately have been through phishing attacks, so remember to take the time to educate your users about security and mitigation.

Your next priority should be MS13-051, which is an Office vulnerability. This is a remote code execution issue that could allow a hacker to take complete control of a victim’s machine. This affects both Windows and Mac versions of Office, making it a concerning vulnerability, considering the widely deployed nature of the software. Hopefully, your users know better than to open attachments from unknown senders.

Your next two priorities will be MS13-049 and MS13-050. MS13-049 is an important denial of service issue affecting kernel mode drivers. It does affect the newest operating systems, Windows 8 and Windows RT. This vulnerability occurs in the TCPIP stack when handling SYN cookies. To trigger the issue, you have to flood the system with a bunch of SYN packets and have the SYN protection and tracking turned on. Once that happens, an attacker could trigger a denial of service vulnerability. There should be network-level mitigation in place already to stop the flooding.

MS13-050 is an important elevation of privilege issue in Windows print spooler. In order to execute this vulnerability, an attacker would need credentials that are authenticated before the attack can be executed. Print spooler can also be disabled as a mitigating factor.

MS13-048 is an important information disclosure affecting Windows kernel. It affects many of the operating systems, including Windows 8, though it doesn’t affect Windows RT. It is not being actively exploited in the wild.

One final thing to note is an additional advisory from Microsoft slated for later this month. It’s an update to improve the cryptography and digital certificate handling in Windows, adding additional functionality to allow admins to more granularly handle certificate trust lists.

Windows 8

Last week, Microsoft released new information about the upcoming release of Windows 8.1, which includes updates to the security features. They are definitely steps in the right direction.

One of the first things that jumps out is what Microsoft is calling “Remote Business Data Removal,” which amounts to a remote wipe capability that enables a level of protection for personal or non-corporate documents to avoid being wiped. This added granularity to the MDM-like functions is a good addition that I’m pleased to see.

Another important feature that is of particular interest to me as a forensic professional is the encryption feature using the TCM chip in Windows. This encryption is enabled by default. This is great for users, but for forensics and incident response folks charged with removing data from devices on behalf of law enforcement, this could make their jobs a little more difficult. It’s similar to the default encryption on the iPhone 5. However, there’s a three to seven month delay from Apple for law enforcements requests for decryption. In cases such as a missing child, where time is of the essence, this is particularly troubling. With Microsoft also adding this capability, the days of “knock and look,” where law enforcement can gain immediate access to data to solve crimes, may be over. It would be my hope that Microsoft is able to avoid that same issue, perhaps by providing a decryption key to law enforcement.

Windows 8.1 will be optimized for biometrics – particularly fingerprint readers. This is great. The cross-over error rate for biometric readers, which is where you get false positives and negatives, has been drastically improved over the last few years. With this improvement comes a renewed hope that passwords may someday go the way of the dodo bird. I think eventually a mix of biometric technologies – iris recognition, facial recognition, behavioral patterns and of course fingerprints – will become the norm.

Microsoft is also adding improvements to IE 11, including an antimalware solution to scan the input for a binary extension before it’s passed onto the extension for execution. IE 11 represents the most secure browser Microsoft has released to date. I always recommend that users run the latest version of any software and would highly encourage users to upgrade to IE 11. If you’re running non-compatible operating systems (such as XP, for which Microsoft will discontinue support in 2014), be sure to update those as well.

There are some updates to Windows Defender, including network behavior monitoring. This behavioral capability is great to see, supplementing signature-based technology that has been largely obsolete for some time now. It allows systems to make decisions based on known malicious behavior, even in the absence of a signature.

Finally, the device lockdown Assigned Access provides additional security for public-facing corporate devices, such as ATMs, kiosks or hardware used in an education settings. This could prevent those machines from being used for tasks that they were not intended to be used for and it reduces risks in educational environments.

Tags:

About the Author

Paul Henry is one of the world’s foremost global information security and computer forensic experts in the industry. With more than 20 years of experience, Henry is a seasoned speaker, author and contributor for some of the leading security events and publications.